CLAIMS 

We Claim: 

1. In a computer system comprising a processor and a memorx^^sfmethod for 
detecting viruses in macros, the method comprising: 

obtaining comparison data including informjrti^n for detecting a virus; 

retrieving a macro; 

decoding the macro to produceX^^coded macro; and 
scanning the decoded mapro for a virus by comparing the decoded macro to 
-ibe- eompai is^n data r 

The method of claim 1, further comprismg: 

removing the wivusjvdm the macro to produce a treated macro if the step of 
scann^g the decoded macro indicates that the macro is infected with 
the virus. 

The method of claim 1, wherein the step of retrieving a ma^re-tomprises: 
accessing a targeted file; 

determining whether the targeted file is>-t^plate file; 
if the targeted file is not a tempi^rt^ile, determining whether the targeted 

file includes an ej;H:^dded macro; and 
if the targeted fij^^cludes an embedded macro, locating the embedded 



4. The method of claim 1, wherein the/(fomparison datiyiWfudes a first suspect 
instruction identifier and a second suspect instruction iderAifiery 
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5. The method of claim 4, wherein the step of scanning the^el^oded macro to 
determine whether it includes a virus comprises: 

determining whether the decoded macro inclu^ a first portion which 

corresponds to the first suspect insj;rUction identifier; 
determining whether the decoded m^o includes a second^orfion which 

corresponds to the second/uspect instruction ideflti^r; and 
determining that the decodedmacro includes the virus/if the decdded macro 
includes the first apd second portions, s,,^^ J ^y"^ 

6. The method of claim 5, wherein the first suspect instruction identifier 
detects a macro virusydnablement instruction. 



7. The method of claim 6, wherein the second suspect instruction i^j^tmifier 
detects a macro virus reproduction instruction. 



8. 



4 

The method of claim^^, wherein the step of renyii^g the virus comprises: 
locating a first suspect macro instruction iiyKe decoded macro which 

corresponds to the first suspect iifitruction identifier; and 
removing the first suspect macro io^ruction. 



The method of claim 8, furfher comprising: 
verifying the integrit\/of the treated macro; and 
replacing the mteerted macro m a targeted file with the repaiFed - macro 
depemifent upon the integrity verification of the treated macro. 
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yf. The method of claim^ wherein the step of removing the ftt^ suspect 
macro instruction includes replacing the first suspect instruct><in with a benign 
instruction. 
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The method of claimygf, wherein the stef^of removing the virus comprises: 
locating a second suspect macro jH^ruction in the decoded macro which 

corresponds to the sep<5nd suspect instruction identifier; and 
removing the second suspect macro instruction from the decoded macro to 

^irQduce-ar45e^ed-maero; — - 




1 yiC. The method of claim 1 , wherein the comparison data includes a plurality of 

2 sets of suspect instruction identifiers. 

13. The method of claim 1 2, whereiQJLi4^^setul suspect mstruction identifiers 
comprises the strhjgs^?rCB0O OC 6C 01 00 and 67 C2 80. 

C\ ]/ / method of claim^^^Twherein a second set of suspect in^tRi^on 

r identifiers comprises the strings 73 CB 00 OC 6C 0 1 00 ax\ft€A6¥ 02 67 DE 00 73 

^ I 3 87 01 12 73 7F, a third set of suspect instruction identifiers comprises the strings 

4 73 CB 00 OC 6C 0 1 00 and 6D 6 1 63 72,6F^76 08, a fourth set of suspect 

5 instruction identifiers comprise^^^strings 12 6C 01 00 and 64 67 C2 80 6A OF 

6 . 47, and a fifth set of suspect instruction identifiers comprises the strings 79 7C 66 

7 6F 72 6D 6 1 74 2.0^(^A and 80 05 6 A 07 43 4F 4D. 




1 ? 15. In a computer system comprisin^>f)r5cessor and a memory, a method for 
detecting viruses in macros, thp^liethod comprising: 



retrieving a maer6; 
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obtaining comparison data for detecting a virus, the comparison'^ta 

including a first suspect instruction identifier and a^cond suspect 

instruction identifier; 
scanning the macro to determine whether the macco includes a first portion 

which corresponds to the first Suspect in^ruction identifier; 
scanning the macro to determine whether tjie macro includes a second 

portion which corresponds to th^econd suspect instruction 

identifier; and 

determining that the macro is infected with the virus if the macro includes 
jhp fjrgt anH gpronfl 436rtions. 

The method of claim ^5^, further comprising: 

treating the macro to produce a treated macro if it is determined that the 
macro includes the first and second portions. 



The method of claim >^ wherein the step of treating the ni^o comprises: 
locating a first macro instruction in the infected macro/C^iich corresponds 

to the first suspect instruction identifier; 
removing the first macro instruction from the>fifected macro to repair the 
infected macro. 

The method of claim wherein'lhe step of treating the macro comprises: 
locating a second macro instruction in the infected macro which 

corresponds to th^^cond suspect instruction identifier; and 
removing the second macro instruction from the infected macro to repair 

the infected macro. 
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yf. The method of claim /l^ wherein the step of retrieving a ma^crd compnses: 
accessing a targeted file; and 

determining whether the targeted filejs^emplate file; 
if the file is not a templatefile,.determining whether the targeted file 

includes an embedded macro; and 
if the file hjctudes an embedded macro, locating the embedded macro. 



20. The method of claim 15, wher^fflhe first 
string 73 CB 00 OC 6C 01i)&^d the second sus 
includes 



the 




n identifier includes the 
ruction identifier 



The method of claim wherein the comparison data includes a plurality 
of sets of suspect instruction identifiers. 



22. The method of claim 2 1 , wherein a first set of suspect instruction>dentifiers 
comprises the strings 73 CB 00 OC 6C 01 00 and 67 C2 80, a secomJ^t of suspect 
instruction comprises the strings 73 CB 00 OC 6C 0 1 00 and ^^^V 02 67 DE 00 73 
87 01 12 73 7F, a third set of suspect instruction identifiep^omprises the strings 
73 CB 00 OC 6C 01 00 and 6D 61 63 72 6F 73 76 O^fourth set of suspect 
instruction identifiers comprises the strings 12 6€ 01 00 and 64 67 C2 80 6A OF 
47, and a fifth set of suspect instruction idepMiers comprises the strings 79 7C 66 
6F 72 6D 61 74 20 63 6A and 80 05 6A/d7 43 4F 4D. 

23. The method of claim J^yuirther comprising: 
accessing a targeted ffle; and 

locating the macro within the targeted file; 
removing the/hacro from the targeted file; and 
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adding the treated macro to the targeted file to produce a cojidcted file. 

An apparatus for detecting viruses in macros, the^dpparatus comprising: 
a virus information module, for storing comp^ison data for detecting a 
virus, the comparison data including a first suspect instruction 
identifier and a second susoej^instruction identifier; and 
a macro virus scanning modulcyin communication with the virus 

information module^r receiving the comparison data and scanning 
a macro to determine whether the macro includes a first portion 
which corresp<5nds to the first suspect instruction identifier and a 
second mrtion which corresponds to the second suspect instruction 



The apparatus of claim 24, further comprisir 

a macro locating and decoding module, iVcommunication with the macro 
virus scanning module, for aco^sing a targeted file, determining 
whether the targeted file is\/ template file, determining whether the 
targeted file includes an/mbedded macrp^tliid^coding the macro 
to produce a decoded/macro. 



The apparatus of claimis, further comotising; 

a macro treating modQle, in communicdtion with the vitus information 

module, foyaccessing the decoded macroartd removing a first macro 
instruction which corresponds-te^tfiefirst suspect instruction 
identifier and a second macro instruction which corresponds to the 
secopfd suspect instruction identifier to produce a treated macro. 
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27. The apparatus of claim 26, further com^sing: • 

a file correcting module, in communication wktfthpmacro treating module, 
for accessing th^^Klrgeted file, locating tl^^macro within the targeted 
file, remo^^irig the macro from thfe targeted fileYnd adding the treated 
macrp^ the targeted file to produceacoijeeted file. 

28. The apparatus of claim 27, wherein the first instruction identifier includes 
the string 73 CB 00 OC 6C 01 00 and the second suspect instruction idettofier 
includes the string 67 C2 80. / 

29. The apparatus of claim 27, wherein the comparison data includes a plurality 
of sets of suspect instruction identifiers. / 

30. The apparatus of claim 29, wherein a first set of su4>ect instruction 
identifiers comprises the strings 73 CB 00 OC 6C 01 0o4nd 67 C2 80, a second set 
of suspect instruction comprises the strings 73 CB Oc/oC 6C 01 00 and 64 6F 02 
67 DE 00 73 87 01 12 73 7F, a third set of suspect /nstruction identifiers comprises 
the strings 73 CB 00 OC 6C 01 00 and 6D 61 63/2 6F 73 76 08, a fourth set of 
suspect instruction identifiers comprises the st/ngs 12 6C 01 00 and 64 67 C2 80 
6A OF 47, and a fifth set of suspect instruction identifiers comprises the strings 79 
7C 66 6F 72 6D 61 74 20 63 6 A and 80 o/ 5 A 07 43 4F 4D. 

31. An apparatus for detecting vif^ses in macros, the apparatus comprising: 
means for obtaining comDjffison data for detecting a virus, the comparison 

data including a lirst suspect instruction identifier and a second 
suspect instrudiion identifier; 



40 



# 



• 



5 
6 
7 
8 
9 
10 
11 



1 y:. 



2 
3 
4 
5 
6 
7 



means for scanning the macro to determine whether a macro inpkdes a first 
portion which corresponds to the first suspect instodction identifier; 

means for scanning the macro to determine whethej^tlie macro includes a 
second portion which corresponds to tljje^econd suspect instruction 
identifier; and 

means for determining that the macjefis infected with the virus if the macro 
4adu des the f 4i:s t n nd sp p r in d p ortio n j. 

The apparatus of claim }K, further comprising: 

means for locating a first macro instruction and a second macro instruction 
within the macro which respectively correspond to the first suspect 
instruction identifier and the second suspect instruction identifier; 
and 

means for removing the first macro instruction and the second macro 
instruction from the macro to produce a treated macro. 
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33. The apparatus of claim 32, further comprising 

means for accessing a targeted file and d^rmining whether the targeted 
file includes a macro. 
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34. The apparatus of claim 33, fdrther compering: 

means for correcting a fife, the means/for correctip/ a file including means 
for accessins^he targeted fil/, means fi^t4:emoving the macro from 
the targeted file and meansytor adding the treq!ted macro to the 
targeted file to produce a Corrected file^ 



1 35. 



A sysj^m for detecting viruses in macros, the system comprising: 
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memory, for storing routines and comparison data for^tecting a virus, 
the comparison including a first suspect in^ruction identifier and a 
second suspect instruction identifien/^d y''''"'^^^^ 

processor, in communication with tiip^emory, for/receiving the 

comparison data and scanmrlg a macro to dfctermiijgl^iether the 
macro includes a firstp<5rtion which corresponds to the fim suspect 
instruction identifi^ and a second portic/n which cor^spmds to the 
second suspecLdiistruction identifier. ^^-"^^ 
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